MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d
SHA3-384 hash: bc2589cb2019cfccab1f96461c45c2e6f71352ae07e9801bd8b62da9720a1a96e19b89d10f1c708aa2d51b77d5936f6f
SHA1 hash: 202a577fe9e919bb4ef7088d2f7cd7b20bb489ba
MD5 hash: 078e572d928bd124ea049c8e35a11d21
humanhash: tango-butter-carolina-mountain
File name:078e572d928bd124ea049c8e35a11d21
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:1'657'840 bytes
First seen:2022-11-14 12:10:26 UTC
Last seen:2022-11-14 13:55:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash abf17bbb1d234cebb6ddea72cf750325 (2 x RemcosRAT, 1 x Smoke Loader, 1 x LgoogLoader)
ssdeep 24576:ZFBWt/dOwrv6bDZP1y6v0vNTx5tAk4VsNRDpy+77aHPhWU/RxrjuKU6OQb:ZFBi/dydy1+Nz+vihW8Zv/
Threatray 6'846 similar samples on MalwareBazaar
TLSH T12A75BFF2BB966DA2D28E2132DFF737590A6C31A6C71F0AEEDE72B90DC514CAC1016550
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 2086c669168e8e10 (1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe RemcosRAT signed

Code Signing Certificate

Organisation:www.priceline.com
Issuer:GlobalSign Atlas R3 DV TLS CA 2022 Q4
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-04T15:42:31Z
Valid to:2023-12-06T15:42:30Z
Serial number: 018c2f0e06fbf6023b046d193db7bf4b
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: bbbabd49e2cfab2d71494229f582c2b9f6571ab1a008f8d2b5bdda4809a1ce3f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
F00015722EXpo.xls
Verdict:
Malicious activity
Analysis date:
2022-11-14 07:08:35 UTC
Tags:
macros trojan opendir exploit cve-2017-11882 loader remcos
Link:
https://app.any.run/tasks/714fdc48-bcb8-4cf6-b60d-1b5a492f02ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333715/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63632957.19384.4733.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/52309/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63723057bde1d4a13243d545/reports/68c8c47e-a119-4d77-bace-29507ab5c84a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c48ebc17-7633-4a32-9fbc-eefe27a76e23
Result
Threat name:
Remcos, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1112841
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Remcos
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745533 Sample: m05Rg74GWh.exe Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for domain / URL 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 12 other signatures 2->96 10 m05Rg74GWh.exe 10 2->10         started        15 Bibewapo kar sef.exe 12 2->15         started        process3 dnsIp4 78 tp2uprl3xwt8.k4w2pcwg6lmjnq3gmisf0d 10->78 60 C:\Users\user\mevi\Bibewapo kar sef.exe, PE32 10->60 dropped 62 C:\...\Bibewapo kar sef.exe:Zone.Identifier, ASCII 10->62 dropped 128 Self deletion via cmd or bat file 10->128 130 Uses schtasks.exe or at.exe to add and modify task schedules 10->130 17 Bibewapo kar sef.exe 13 10->17         started        21 cmd.exe 1 10->21         started        23 schtasks.exe 1 10->23         started        80 tp2uprl3xwt8.k4w2pcwg6lmjnq3gmisf0d 15->80 82 xpertsolutionsac.com 15->82 132 Writes to foreign memory regions 15->132 134 Allocates memory in foreign processes 15->134 136 Injects a PE file into a foreign processes 15->136 25 ngentask.exe 15->25         started        file5 signatures6 process7 dnsIp8 68 tp2uprl3xwt8.k4w2pcwg6lmjnq3gmisf0d 17->68 70 xpertsolutionsac.com 192.185.25.46, 443, 49711, 49715 UNIFIEDLAYER-AS-1US United States 17->70 98 Writes to foreign memory regions 17->98 100 Allocates memory in foreign processes 17->100 102 Injects a PE file into a foreign processes 17->102 27 ngentask.exe 2 19 17->27         started        104 Uses ping.exe to check the status of other devices and networks 21->104 32 PING.EXE 1 21->32         started        34 conhost.exe 21->34         started        36 chcp.com 1 21->36         started        38 conhost.exe 23->38         started        signatures9 process10 dnsIp11 84 maz.mastercoa.co 192.30.89.67, 3444, 49710, 49712 CLOUDSINGULARITYCA Canada 27->84 86 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 27->86 64 C:\Users\user\AppData\Local\Temp\dwn.exe, PE32 27->64 dropped 66 C:\ProgramData\remcos\logs.dat, data 27->66 dropped 138 Maps a DLL or memory area into another process 27->138 140 Installs a global keyboard hook 27->140 40 dwn.exe 6 27->40         started        44 ngentask.exe 1 27->44         started        46 ngentask.exe 2 27->46         started        48 3 other processes 27->48 88 127.0.0.1 unknown unknown 32->88 file12 signatures13 process14 file15 58 C:\Users\user\AppData\Roaming\...\Youukz.exe, PE32 40->58 dropped 114 Antivirus detection for dropped file 40->114 116 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 40->116 118 May check the online IP address of the machine 40->118 126 4 other signatures 40->126 50 dwn.exe 40->50         started        54 powershell.exe 40->54         started        120 Tries to steal Instant Messenger accounts or passwords 44->120 122 Tries to steal Mail credentials (via file / registry access) 44->122 124 Tries to harvest and steal browser information (history, passwords, etc) 46->124 signatures16 process17 dnsIp18 72 smtpm.csloxinfo.com 203.146.237.242, 49724, 587 CSLOXINFO-AS-APCSLOXINFOPUBLICCOMPANYLIMITEDTH Thailand 50->72 74 api.ipify.org.herokudns.com 52.20.78.240, 443, 49722 AMAZON-AESUS United States 50->74 76 api.ipify.org 50->76 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->106 108 Tries to steal Mail credentials (via file / registry access) 50->108 110 Tries to harvest and steal ftp login credentials 50->110 112 Tries to harvest and steal browser information (history, passwords, etc) 50->112 56 conhost.exe 54->56         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-11-14 06:22:30 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsrikjhayzu2ddibmbzisnnkswxeymzsksmvcxx537gbh6q2sqoq._file
Verdict:
malicious
Similar samples:
332e77ec0d01e6851adf5515fcb2547065c62299bccf7b9c1abf0719cc423375
RemcosRAT
4b3b8c9037168a82409fbe027ecf77ba5b1b9262960b07dde8e15acfb1e3a5df
RemcosRAT
4d54ba1e4eccdeaa5423f0bae61f1f97a9e21afc4ba3db55f6e6b78d84bf26cf
RemcosRAT
523c73801cb0175c81f507010d68ba97fc644a6ff84e5e6c0a79d5ec0b012b10
RemcosRAT
790b3b8530edbb84ca3a96c2dead6309fd0c12e7f2c08083fc363fe7588d4000
RemcosRAT
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
RemcosRAT
eab9a40c5379d460e7d5f3d11c2b766ce8674c2240110e063fecb0c651e0dd67
RemcosRAT
+ 6'836 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:remcos botnet:remotehost collection keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221114-pck7wsgb41/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
AgentTesla
Remcos
Malware Config
C2 Extraction:
maz.mastercoa.co:3444
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2ea4533a-3f61-49ba-aad8-e87c9460111e
Unpacked files
SH256 hash:
88c500fbf0f4b996e3fb8a65233a9e73038f3cc9e24ea673a315e933b5a7f37e
MD5 hash:
23e79d7471fdf756eacc2b360818af6f
SHA1 hash:
9292eac5af805716114101dc32db257030dfc3cb
Link:
https://www.unpac.me/results/f6b0e420-0cb9-4ce2-b360-98fbc2d92a7b/
SH256 hash:
34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d
MD5 hash:
078e572d928bd124ea049c8e35a11d21
SHA1 hash:
202a577fe9e919bb4ef7088d2f7cd7b20bb489ba
Link:
https://www.unpac.me/results/f6b0e420-0cb9-4ce2-b360-98fbc2d92a7b/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34a28524e0c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemcosRAT

Executable exe 34a28524e0c669a18d0160728935aa95ae4c33325499515efddfcc13fa1a941d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2410533/
Cape
Cape
https://www.capesandbox.com/analysis/333715/

Comments


Avatar
zbet commented on 2022-11-14 12:10:33 UTC

url : hxxp://35.178.245.215/779/vbc.exe